WEBVTT
00:00:00.280 --> 00:00:02.560
From deep inside the death
star i'm Chad Beater.
00:00:02.560 --> 00:00:03.920
>> And I'm Andrew Richards.
00:00:03.920 --> 00:00:04.940
>> And I'm Aaron Margosis.
00:00:04.940 --> 00:00:09.710
>> And welcome to defrag tools the
show that takes you inside Microsoft
00:00:09.710 --> 00:00:11.480
and inside Windows.
00:00:11.480 --> 00:00:15.735
We've got a special guest here
this week Aaron Margosis.
00:00:15.735 --> 00:00:16.675
Welcome back.
00:00:16.675 --> 00:00:17.675
>> Thank you.
It's good to be back.
00:00:17.675 --> 00:00:18.885
It's been a long time.
00:00:18.885 --> 00:00:19.945
>> It's gotta be years, right?
00:00:19.945 --> 00:00:20.465
>> Many.
00:00:20.465 --> 00:00:20.965
>> Yeah.
>> Yes.
00:00:20.965 --> 00:00:21.625
>> It's been a while.
00:00:21.625 --> 00:00:23.515
We've been doing
this show a while so
00:00:23.515 --> 00:00:26.175
it's hard to remember now what
all the things we've done.
00:00:26.175 --> 00:00:27.584
>> Yeah.
>> I think Kennedy was still
00:00:27.584 --> 00:00:28.918
President the last time I was here.
00:00:28.918 --> 00:00:33.560
>> [LAUGH]
>> Back in the Camila days, right?
00:00:33.560 --> 00:00:34.450
>> Yeah.
>> Yeah, so
00:00:34.450 --> 00:00:37.430
you're back to tell us
about your new book.
00:00:37.430 --> 00:00:38.480
>> I've a new book.
00:00:38.480 --> 00:00:39.020
>> Yes.
00:00:39.020 --> 00:00:39.930
>> I've a new book, that's right.
00:00:39.930 --> 00:00:42.680
>> A new book that should be
of interest to our viewers.
00:00:42.680 --> 00:00:43.650
>> Yes.
>> Absolutely,
00:00:43.650 --> 00:00:46.390
so the first book was.
00:00:46.390 --> 00:00:47.585
>> What year was that? 2011.
00:00:47.585 --> 00:00:47.840
>> 2011?
00:00:47.840 --> 00:00:49.620
>> Mark Russinovich and
00:00:49.620 --> 00:00:52.770
I coauthored a book documenting
the sysinternals tools
00:00:52.770 --> 00:00:55.700
called Windows Sysinternals
Administrator's Reference.
00:00:55.700 --> 00:00:58.250
The absolute bible,
the quintessential
00:00:58.250 --> 00:01:00.360
>> With the unwieldly title and
00:01:00.360 --> 00:01:03.190
the disproportionate font sizes.
00:01:03.190 --> 00:01:05.140
>> Yeah.
Look at that Mark gets top
00:01:05.140 --> 00:01:06.640
billing and you're like [INAUDIBLE]
>> Well,
00:01:06.640 --> 00:01:07.750
of course he gets top billing.
00:01:07.750 --> 00:01:11.490
There's no argument about that,
but they forgot to include
00:01:11.490 --> 00:01:14.230
the magnifying glass so you could
read my name off the cover.
00:01:14.230 --> 00:01:15.160
>> Right.
00:01:15.160 --> 00:01:20.510
>> So they fixed that this time
with a new book by shrinking his.
00:01:20.510 --> 00:01:21.030
>> Made, so.
00:01:21.030 --> 00:01:23.330
>> So troubleshooting with
the Windows System internal tools,
00:01:23.330 --> 00:01:25.020
one of the reasons for
00:01:25.020 --> 00:01:27.723
the rename was
>> This isn't really about
00:01:27.723 --> 00:01:28.229
IT admins,
00:01:28.229 --> 00:01:31.171
it's about anyone who does technical
work on the Windows platform.
00:01:31.171 --> 00:01:32.156
>> Yeah it is a better.
00:01:32.156 --> 00:01:35.120
>> There's a huge crossover between
developers and IT pros for sure.
00:01:35.120 --> 00:01:38.500
>> Absolutely and
people who just do troubleshooting.
00:01:38.500 --> 00:01:43.010
So we have the new book out it
just came out in October of 2016.
00:01:43.010 --> 00:01:46.800
And I think it's
a significant improvement-
00:01:46.800 --> 00:01:47.560
>> I was gonna say
00:01:47.560 --> 00:01:48.660
it's a hefty a ton.
00:01:48.660 --> 00:01:49.778
>> It is.
00:01:49.778 --> 00:01:50.360
>> [LAUGH]
>> It's 40%,
00:01:50.360 --> 00:01:52.830
I think the font size
is actual smaller.
00:01:52.830 --> 00:01:54.120
>> And the paper looks thinner too.
00:01:54.120 --> 00:01:57.440
>> And yeah, but
it's 40% more pages.
00:01:57.440 --> 00:02:03.740
Even with that, we put a lot more
material into the book this time.
00:02:03.740 --> 00:02:05.310
>> What fundamentals are in there?
00:02:05.310 --> 00:02:06.850
I mean, the first book was good for
00:02:06.850 --> 00:02:11.450
this too, but you cover the absolute
basics of what Windows is as well.
00:02:11.450 --> 00:02:13.990
And you can take the winners and
book approach,
00:02:13.990 --> 00:02:16.760
but that thing is just so
heavy and deep.
00:02:16.760 --> 00:02:19.460
It's not design for
that cursory, introductory
00:02:19.460 --> 00:02:22.220
approach to things.<< right
>> One thing you really do now very
00:02:22.220 --> 00:02:23.248
very well is,
00:02:23.248 --> 00:02:27.880
what the what the thread,
what's the basic concept of windows.
00:02:27.880 --> 00:02:31.010
>> Right, yeah,
I really like the windows for
00:02:31.010 --> 00:02:35.900
concepts chapter in the beginning,
in the intro part
00:02:35.900 --> 00:02:40.480
because we do talk about some
things that are necessary know and
00:02:40.480 --> 00:02:44.490
in some cases, not very well
documented in other places.
00:02:44.490 --> 00:02:45.000
In fact,
00:02:45.000 --> 00:02:48.200
we have some documentation here that
I don't think exist anywhere else
00:02:48.200 --> 00:02:51.350
describing some of the internals
of app container which didn't
00:02:51.350 --> 00:02:54.814
exist when we did the first book cuz
that was introduced in Windows 8.
00:02:56.160 --> 00:02:58.720
And have some in Windows 10.
00:02:58.720 --> 00:03:02.710
But there's very little description
anywhere of exactly how the app
00:03:02.710 --> 00:03:03.760
container rules work.
00:03:05.700 --> 00:03:10.040
And the processing of how
an access track is performed now.
00:03:10.040 --> 00:03:12.200
When an app is running
inside an app container.
00:03:12.200 --> 00:03:14.520
>> It's like a security bubble,
is that what-
00:03:14.520 --> 00:03:15.238
>> That's right, yeah.
00:03:15.238 --> 00:03:19.610
So the so-called modern apps are
Universal Windows apps on Windows 10
00:03:19.610 --> 00:03:23.520
run inside of a much more
tightly constrained environment.
00:03:23.520 --> 00:03:27.290
Where they basically
cannot affect anything
00:03:27.290 --> 00:03:29.350
outside of the app and
the app's data.
00:03:29.350 --> 00:03:33.310
They cannot affect
your your user profile,
00:03:33.310 --> 00:03:34.640
they cannot affect other apps.
00:03:34.640 --> 00:03:38.010
So, one of the improvements
of it was in Windows Vista,
00:03:38.010 --> 00:03:40.650
Windows introduced
the integrity model.
00:03:40.650 --> 00:03:44.340
So, you could have internet explorer
protected mode running at low
00:03:44.340 --> 00:03:48.730
integrity, it could not affect a lot
of things at medium integrity,
00:03:48.730 --> 00:03:50.310
like most of your apps,
most of your data,
00:03:50.310 --> 00:03:54.940
you couldn't drop stuff into the run
key, into your start up folder.
00:03:54.940 --> 00:03:59.420
But it could affect anything else
also running at low integrity.
00:03:59.420 --> 00:04:02.825
With that container they create
a price per app isolation boundary
00:04:02.825 --> 00:04:03.500
[CROSSTALK].
00:04:03.500 --> 00:04:05.554
>> So it's kinda like
cutting it the other way.
00:04:05.554 --> 00:04:06.890
>> Yes, exactly.
00:04:08.160 --> 00:04:11.100
The, I really love that
there's a lot of that kind
00:04:11.100 --> 00:04:15.300
of that just core architectural
content there because that stuff is
00:04:15.300 --> 00:04:16.890
kind of timeless, right?
00:04:16.890 --> 00:04:22.370
A lot of the stuff you know maybe
that's more about the tools is
00:04:22.370 --> 00:04:25.350
excellent and that's all updated for
the latest and greatest tools but
00:04:25.350 --> 00:04:29.830
this, the other stuff like I still
have this will show my age here, but
00:04:29.830 --> 00:04:31.290
I still, on my shelf,
00:04:31.290 --> 00:04:35.690
have the old Peter Norton
Programmer's Guide to the IBM PC.
00:04:35.690 --> 00:04:39.160
And I still use it at
least once a year.
00:04:39.160 --> 00:04:40.430
>> Wow.
>> I am not kidding.
00:04:40.430 --> 00:04:43.630
Like, every once in a while somebody
will ask me about some boot issue,
00:04:43.630 --> 00:04:46.110
and I'll be like, yeah,
it's early enough in boot,
00:04:46.110 --> 00:04:48.050
it's on legacy bios or
something, and
00:04:48.050 --> 00:04:51.930
like, yeah, it's that interrupt
call, so every once in a while.
00:04:51.930 --> 00:04:55.350
Or actually the most recent time I
used it was to look up keyboard scan
00:04:55.350 --> 00:04:57.720
codes, which are still
relevant,right?
00:04:57.720 --> 00:05:01.190
So there's some of that stuff so,
I love that there's a lot of
00:05:01.190 --> 00:05:03.290
this sort of core Windows
architecture stuff.
00:05:03.290 --> 00:05:06.590
Because that stuff stays pretty
current for a long, long time.
00:05:06.590 --> 00:05:10.250
So books like this is gonna
be valuable for a long time.
00:05:10.250 --> 00:05:11.390
>> Great.
I hope so.
00:05:11.390 --> 00:05:14.170
So, other things,
other changes also.
00:05:15.270 --> 00:05:18.490
Obviously the system internals
tools have been updated a lot since
00:05:18.490 --> 00:05:19.400
the first book came out.
00:05:19.400 --> 00:05:20.860
>> Yeah, that's what,
four years five years?
00:05:20.860 --> 00:05:22.660
>> Yeah,
five years worth of changes.
00:05:22.660 --> 00:05:26.110
And so we document all the new
features that are in there and
00:05:26.110 --> 00:05:30.750
some of the new tools that didn't
exist five year ago, for example And
00:05:30.750 --> 00:05:33.930
of course the Proctamp tool.
00:05:33.930 --> 00:05:36.490
Proctamp was-
>> It was a baby.
00:05:36.490 --> 00:05:40.380
>> Yeah, it was-
>> I think it was a version four,
00:05:40.380 --> 00:05:41.270
I think, in the first book.
00:05:41.270 --> 00:05:42.740
>> Yeah, so-
>> Maybe.
00:05:42.740 --> 00:05:49.080
>> First book, it was part of
the process diagnostics chapter.
00:05:49.080 --> 00:05:52.360
And by the time we got around to the
second book, it had grown so much.
00:05:53.400 --> 00:05:55.710
Thanks to Andy Richards.
00:05:55.710 --> 00:05:56.300
>> Yeah.
[LAUGH]
00:05:56.300 --> 00:05:58.500
>> We know what he did.
00:05:58.500 --> 00:06:00.300
It needed it some chapter and so
00:06:00.300 --> 00:06:03.540
it's been upgraded to a full chapter
and there is a whole section in
00:06:03.540 --> 00:06:07.630
there about how it integrates
with process monitor so
00:06:07.630 --> 00:06:12.370
that process monitor in addition
to capturing file registry,
00:06:12.370 --> 00:06:16.740
network and processor events can
also see things like exceptions and
00:06:16.740 --> 00:06:21.996
debug messages and
other things that.
00:06:21.996 --> 00:06:22.562
>> [CROSSTALK].
00:06:22.562 --> 00:06:27.200
>> Captures CPU utilization
>> This thing is spinning at
00:06:27.200 --> 00:06:28.070
maybe 80% plus.
00:06:28.070 --> 00:06:30.160
>> Performance counters,
memory usage.
00:06:30.160 --> 00:06:35.400
>> Exactly and all of that stuff's
gonna show up into your proc mon.
00:06:35.400 --> 00:06:38.120
>> Which is
the quintessential tool for
00:06:38.120 --> 00:06:42.885
quick ad hoc timeline investigation.
00:06:42.885 --> 00:06:43.390
>> Yep.
00:06:43.390 --> 00:06:47.690
>> I think all the tools have grown
over the years and I think and
00:06:47.690 --> 00:06:50.290
the chapters
>> Grew with them, and
00:06:50.290 --> 00:06:54.660
I had I think about 10 or
15 switches last time.
00:06:54.660 --> 00:06:56.870
Now we actually have all
letters of the alphabet filled.
00:06:56.870 --> 00:07:00.388
>> Right, we're gonna start
using switches in there.
00:07:00.388 --> 00:07:03.670
>> [LAUGH]
>> You have to look up the keyboard
00:07:03.670 --> 00:07:06.440
scan codes to figure out and type.
00:07:06.440 --> 00:07:08.852
>> We'll incorporate the Peter
Norton book in the third edition.
00:07:08.852 --> 00:07:11.137
>> [LAUGH] Exactly
>> [INAUDIBLE] Him out.
00:07:11.137 --> 00:07:12.089
>> [LAUGH]
>> Out 158.
00:07:12.089 --> 00:07:14.990
>> That's right.
00:07:14.990 --> 00:07:16.650
>> Yeah, but I think the whole book
00:07:17.700 --> 00:07:21.260
from basics beginning
core concept is great.
00:07:21.260 --> 00:07:25.160
The way that you describe
each tool is very.
00:07:25.160 --> 00:07:30.540
>> Fluid the fan is cool and it's
a really crazy running curve and
00:07:30.540 --> 00:07:33.325
then we finish it off with
the case of the unexplained.
00:07:33.325 --> 00:07:33.890
>> Mm-hm.
00:07:33.890 --> 00:07:37.436
>> Section which also got
quite a beefy increase.
00:07:37.436 --> 00:07:38.910
>> Yes, yes, massive.
00:07:38.910 --> 00:07:43.680
That's what happened to the first
book to be quite honest is, we went
00:07:43.680 --> 00:07:47.970
through we wrote the chapters
about each of the tools right?
00:07:47.970 --> 00:07:50.370
And describe all the tools.
00:07:50.370 --> 00:07:55.210
And we were so
exhausted we came up with this many
00:07:55.210 --> 00:07:57.830
explained we were gonna incorporate
and we were like, okay, we're done.
00:07:57.830 --> 00:08:00.740
We gotta ship this thing.
00:08:00.740 --> 00:08:03.010
And then, because I work on that for
00:08:03.010 --> 00:08:05.070
a while,
the tools have continued to update.
00:08:05.070 --> 00:08:09.910
We have to go back and
update the tool chapters again.
00:08:09.910 --> 00:08:11.350
>> More work for everyone.
00:08:11.350 --> 00:08:14.940
>> So yeah, so what happened
>> What we did with the second book
00:08:14.940 --> 00:08:19.580
is we started out by writing Casey
unexplained and nail all those down
00:08:19.580 --> 00:08:23.610
and then go through the tools
>> Not only once, but
00:08:23.610 --> 00:08:26.070
yes, but focusing our first we
00:08:26.070 --> 00:08:28.630
put in tons of bases
>> I forget
00:08:28.630 --> 00:08:31.250
>> The case only explains that much. But-
00:08:31.250 --> 00:08:31.910
>> Those are great.
00:08:31.910 --> 00:08:34.540
I mean, everyone loves those cuz
it's like a detective story, right?
00:08:34.540 --> 00:08:37.470
>> Yeah, I was gonna say that you've
actually split it up into categories
00:08:37.470 --> 00:08:40.480
this time, which is the way Mark
kind of thinks of it too when he
00:08:40.480 --> 00:08:41.858
does public speaking.
00:08:41.858 --> 00:08:42.792
Categories the [CROSSTALK].
00:08:42.792 --> 00:08:43.937
>> Okay, yeah.
00:08:43.937 --> 00:08:45.640
Error messages and
how to track them down.
00:08:45.640 --> 00:08:46.360
>> Right.
>> Crashes.
00:08:46.360 --> 00:08:47.300
>> Got more categories.
00:08:47.300 --> 00:08:49.860
>> Yeah, I think there
are more categories, yeah.
00:08:49.860 --> 00:08:51.330
>> Yeah.
00:08:51.330 --> 00:08:53.970
>> Crashes, which we talked
about on defrag tools a bit.
00:08:53.970 --> 00:08:55.930
We've kind of focused on that a bit.
00:08:55.930 --> 00:08:57.400
Hangs and sluggish performance,
00:08:57.400 --> 00:09:02.460
which is a fantastic, always
a interesting investigation vector.
00:09:02.460 --> 00:09:04.530
Malware, I think is a new one.
00:09:04.530 --> 00:09:05.500
>> No, no.
00:09:05.500 --> 00:09:06.090
>> Maybe not.
00:09:06.090 --> 00:09:08.160
Yeah, malware's got
a fair bit there.
00:09:08.160 --> 00:09:11.230
And it's a good 20 or
30 pages worth.
00:09:11.230 --> 00:09:14.300
Understanding system behavior which
is a good under-the-hood thing.
00:09:14.300 --> 00:09:16.360
And then develop
a troubleshooting philosophy.
00:09:16.360 --> 00:09:18.940
>> So yeah last time we had
error messages, hangs and
00:09:18.940 --> 00:09:20.390
sluggish performance, and malware.
00:09:20.390 --> 00:09:21.420
>> And malware.
00:09:21.420 --> 00:09:26.550
>> And this time
>> The air messages crashes and
00:09:26.550 --> 00:09:30.870
separate its performance in the
mower and in the sense of behavior.
00:09:30.870 --> 00:09:33.140
This is just about fair
happenings in our windows.
00:09:33.140 --> 00:09:37.033
This one actually takes
some documentation we did.
00:09:37.033 --> 00:09:40.555
In the chapter that we
didn't do in the first book.
00:09:40.555 --> 00:09:47.275
In the first book, we say you can
save your trace as XML, right?
00:09:47.275 --> 00:09:51.705
So normally you save a trace as PML,
which is a proprietary binary
00:09:51.705 --> 00:09:57.035
undocumented file format that
gives you all the information that
00:09:57.035 --> 00:10:02.260
you capture in a saved into the file
you can also save it as XML,
00:10:02.260 --> 00:10:04.170
and in the first book,
that's what we said.
00:10:04.170 --> 00:10:05.140
You can save it as XML.
00:10:06.140 --> 00:10:08.290
Period. No-
00:10:08.290 --> 00:10:08.650
>> Yes.
00:10:08.650 --> 00:10:10.591
>> Detail about-
>> I mean, XML
00:10:10.591 --> 00:10:11.290
>> It's a fact.
00:10:11.290 --> 00:10:12.430
>> It's self-documenting,
00:10:12.430 --> 00:10:15.250
you don't need to say anything
else about it, right?
00:10:15.250 --> 00:10:21.450
So this time We document the full
schema and then there's two case,
00:10:21.450 --> 00:10:24.050
the unexplained and
understanding system behavior.
00:10:24.050 --> 00:10:29.133
That shows here's how we use the XML
schema using power shell which
00:10:29.133 --> 00:10:33.120
is a great tool for [CROSSTALK]
>> Fantastic shell, yeah.
00:10:33.120 --> 00:10:36.200
With XML to solve some problems.
00:10:37.240 --> 00:10:39.460
And it also describes,
because of that,
00:10:39.460 --> 00:10:42.920
a little bit of
the internal structure of.
00:10:42.920 --> 00:10:44.540
So for example,
00:10:44.540 --> 00:10:49.630
one of the cases had all these short
lived processes, tons of them.
00:10:49.630 --> 00:10:50.490
And trying to figure out, like,
00:10:50.490 --> 00:10:53.360
okay how much time
are they each using up?
00:10:53.360 --> 00:10:58.020
So you can look up when i process
egg cell i think it is what
00:10:58.020 --> 00:11:01.098
accumulated process
utilization was process.
00:11:01.098 --> 00:11:05.171
Cpu utilization.
00:11:05.171 --> 00:11:08.820
But figuring out which process is to
look at becomes difficult because
00:11:08.820 --> 00:11:12.420
when you have lots, lots of short
leave process is you guaranteed that
00:11:12.420 --> 00:11:16.670
theres going to be overlap in the,
or duplication in the process ideas.
00:11:16.670 --> 00:11:19.370
Process ideas guaranteed to be
unique at any given point in
00:11:19.370 --> 00:11:20.860
time on a computer.
00:11:20.860 --> 00:11:22.030
>> That's the key point though.
00:11:22.030 --> 00:11:23.040
Isn't it?
00:11:23.040 --> 00:11:23.555
>> At that time.
00:11:23.555 --> 00:11:28.543
So, process ID 2220, at that instant
there is no other process or
00:11:28.543 --> 00:11:30.660
thread with that ID.
00:11:30.660 --> 00:11:34.550
But soon as that process
exits It's up for reuse.
00:11:34.550 --> 00:11:39.190
And so there's, when you save
as XML, you can actually
00:11:39.190 --> 00:11:43.540
see identifiers distinguishing
this 22 20 from that 22 20.
00:11:43.540 --> 00:11:44.040
>> Yeah?
00:11:45.880 --> 00:11:48.470
>> Which goes even further,
by the way, in sysmon,
00:11:48.470 --> 00:11:53.270
because in sysmon we need a way
>> To uniquely identify a process
00:11:53.270 --> 00:11:57.820
across not just on one computer but
throughout an enterprise.
00:11:57.820 --> 00:12:00.740
Cuz you're capturing information
about processes that were launched
00:12:00.740 --> 00:12:05.080
on computers all around
the enterprise saving it in
00:12:05.080 --> 00:12:07.780
one database and then trying
to figure out what's what.
00:12:07.780 --> 00:12:11.270
And so there's unique identifiers
that sysmon creates to identify
00:12:11.270 --> 00:12:13.940
a unique process on a system.
00:12:13.940 --> 00:12:18.450
>> Is that true for
thread IDs as well?
00:12:18.450 --> 00:12:21.443
>> No,
because I don't think anything in
00:12:21.443 --> 00:12:23.750
looks at thread IDs
that I can recall.
00:12:23.750 --> 00:12:27.150
>> Maybe a process monitor?
00:12:27.150 --> 00:12:27.760
>> Yeah.
>> Well,
00:12:27.760 --> 00:12:31.818
I think there's a within itself but
that's kind of.
00:12:31.818 --> 00:12:39.040
So that's cool so what was
the What's the hardest part and
00:12:39.040 --> 00:12:42.540
the easiest part of
writing the book?
00:12:42.540 --> 00:12:46.620
>> The hardest part was making sure
that I have the time to do it.
00:12:46.620 --> 00:12:47.540
>> Yeah.
>> That was-
00:12:47.540 --> 00:12:48.360
>> I know how much
00:12:48.360 --> 00:12:49.370
time you spent on the first one,
00:12:49.370 --> 00:12:52.316
so I assume the second one was
equally as big a behemoth?
00:12:52.316 --> 00:12:56.420
>> [LAUGH] So
the first one took two years.
00:12:56.420 --> 00:12:57.260
>> Yeah.
00:12:57.260 --> 00:13:01.850
>> Every vacation, weekend
>> Thousands of.
00:13:01.850 --> 00:13:02.480
>> Yeah.
00:13:02.480 --> 00:13:05.770
I just would, at the end of the
year, I've got use-or-lose vacation.
00:13:05.770 --> 00:13:08.630
I'm going to the basement and
spend it there.
00:13:08.630 --> 00:13:11.250
>> Yeah.
>> And the family went on vacations.
00:13:11.250 --> 00:13:13.290
They're down at the beach,
I'm up at the house
00:13:13.290 --> 00:13:14.100
>> Working on the book.
00:13:14.100 --> 00:13:16.740
>> Yeah.
>> The second book I thought you
00:13:16.740 --> 00:13:19.730
know, it's just an addition
to the first book, right?
00:13:19.730 --> 00:13:20.930
We're not rewriting.
00:13:20.930 --> 00:13:21.977
>> So naive.
>> Everything.
00:13:21.977 --> 00:13:22.874
>> So naive.
00:13:22.874 --> 00:13:23.870
[LAUGH]
>> So
00:13:23.870 --> 00:13:27.180
I figured this will take a year and
it took three.
00:13:27.180 --> 00:13:29.850
And part of it was that I
did not make the sacrifices.
00:13:31.220 --> 00:13:32.550
The second time around.
00:13:32.550 --> 00:13:34.520
And actually, took vacations.
00:13:34.520 --> 00:13:35.940
>> How dare you.
00:13:35.940 --> 00:13:36.510
>> I know.
00:13:36.510 --> 00:13:37.940
Don't tell my manager.
00:13:37.940 --> 00:13:38.995
Don't tell Mark.
00:13:38.995 --> 00:13:41.840
[LAUGH]
>> I would say
00:13:41.840 --> 00:13:44.555
if there was one
>> Companion book
00:13:44.555 --> 00:13:47.685
that goes along with our
show that this is probably.
00:13:47.685 --> 00:13:49.205
>> Yeah, compatible for
Windows quite frankly.
00:13:49.205 --> 00:13:50.405
>> Well, really for Windows, yeah.
00:13:50.405 --> 00:13:53.125
>> Well, who hasn't had
something happen on their box
00:13:53.125 --> 00:13:56.115
when they need to record, and
this is the way to do it, right?
00:13:56.115 --> 00:14:00.109
So I didn't ask,
what's the most enjoyable part?
00:14:00.109 --> 00:14:02.187
>> [LAUGH]
>> Hearing that,
00:14:02.187 --> 00:14:03.545
I've already changed already.
00:14:03.545 --> 00:14:07.035
>> I mean,
I love learning stuff, right?
00:14:07.035 --> 00:14:09.587
I love learning new things
about the platform.
00:14:09.587 --> 00:14:10.146
>> Mm.
00:14:10.146 --> 00:14:13.270
>> And figuring out new
ways to solve problems.
00:14:13.270 --> 00:14:15.000
So I always enjoyed that part.
00:14:15.000 --> 00:14:17.520
>> I think that's what drove Mark
to write the Windows Intel books.
00:14:17.520 --> 00:14:20.140
>> Yeah.
>> He was investigating the OS and
00:14:20.140 --> 00:14:21.790
particularly the lower
versions of the book.
00:14:21.790 --> 00:14:23.870
It was just an exercise
of discovery.
00:14:25.080 --> 00:14:28.930
>> Yes, which built on top of
what he had already been doing.
00:14:28.930 --> 00:14:32.140
Creating the knowledge make and
00:14:32.140 --> 00:14:33.870
that's where he created
the system internalist tools.
00:14:33.870 --> 00:14:34.850
>> Yeah.
>> Was to find out
00:14:34.850 --> 00:14:36.430
more about Windows.
00:14:36.430 --> 00:14:37.150
>> Yeah.
00:14:37.150 --> 00:14:39.630
>> And
then from there he started writing,
00:14:39.630 --> 00:14:42.770
coauthoring the Windows internals
books with David Solomon.
00:14:42.770 --> 00:14:44.740
>> Kind of a best
engineering exercise.
00:14:44.740 --> 00:14:45.380
>> Yeah.
>> Kind of.
00:14:45.380 --> 00:14:46.600
>> Yeah.
00:14:46.600 --> 00:14:47.690
>> With an API documentation.
00:14:47.690 --> 00:14:50.460
Well actually it was like an API
documentation that drove him to do
00:14:50.460 --> 00:14:52.110
it really, I guess.
00:14:52.110 --> 00:14:53.060
So, very cool.
00:14:53.060 --> 00:14:55.170
Well, thank you for sharing this up.
00:14:55.170 --> 00:14:56.310
Go out and buy it.
00:14:56.310 --> 00:14:59.320
I'm sure it's on every single
decent website out there and
00:14:59.320 --> 00:15:00.870
is on everything else.
00:15:00.870 --> 00:15:02.870
>> Yup
>> Just go buy it.
00:15:02.870 --> 00:15:04.050
>> Microsoft Press.
00:15:04.050 --> 00:15:08.180
>> Enjoy it, and
is there any feedback out on it?
00:15:08.180 --> 00:15:11.120
Is there some way of asking
questions or anything like that?
00:15:11.120 --> 00:15:15.180
>> If anybody reads it and
wants to post.
00:15:15.180 --> 00:15:17.285
Really nice things
about it on Amazon.
00:15:17.285 --> 00:15:18.840
>> [LAUGH]
>> More Amazon
00:15:18.840 --> 00:15:20.230
reviews would be great.
00:15:20.230 --> 00:15:23.510
Feedback, I believe there is-
>> Name, address.
00:15:23.510 --> 00:15:26.290
>> Somewhere in the book it does
say where to provide feedback and
00:15:26.290 --> 00:15:28.470
errata, because-
>> Yeah.
00:15:28.470 --> 00:15:31.010
>> There might be a mistake
in there somewhere
00:15:31.010 --> 00:15:32.620
that needs to be corrected.
00:15:32.620 --> 00:15:34.320
But in general.
00:15:34.320 --> 00:15:36.980
>> Semicolon that should be
a colon or something like that.
00:15:36.980 --> 00:15:38.300
So please point it out.
00:15:38.300 --> 00:15:41.280
>> And as I said you can
always say [INAUDIBLE]
00:15:41.280 --> 00:15:42.210
we can forward it to Aaron.
00:15:42.210 --> 00:15:42.720
>> Yeah.
00:15:42.720 --> 00:15:43.840
>> For sure.
00:15:43.840 --> 00:15:45.020
>> Absolutely.
00:15:45.020 --> 00:15:46.370
>> Cool.
Thank you for joining us.
00:15:46.370 --> 00:15:46.895
>> Thank you.
>> [INAUDIBLE]
00:15:46.895 --> 00:15:48.240
>> Thanks for having me.
00:15:48.240 --> 00:15:51.170
>> And we'll see you
actually next week as well.
00:15:51.170 --> 00:15:54.090
Trouble shooting with
the Windows Sysinternal tools.
00:15:54.090 --> 00:15:57.080
Is it actually called second
edition, or you changed the name,
00:15:57.080 --> 00:15:59.498
but it's essentially
the updated [INAUDIBLE].
00:15:59.498 --> 00:16:00.560
>> Yeah.
We kind of
00:16:00.560 --> 00:16:02.720
call it second edition
in parenthesis.
00:16:02.720 --> 00:16:04.380
>> Gotcha.
>> But not on the cover.
00:16:04.380 --> 00:16:05.290
>> Awesome.
00:16:05.290 --> 00:16:07.470
>> And
you have to read the foreword also.
00:16:07.470 --> 00:16:08.270
The forward is-
00:16:08.270 --> 00:16:08.880
>> By a noted-
>> Hilarious.
00:16:08.880 --> 00:16:10.070
>> By a noted person.
00:16:10.070 --> 00:16:11.130
>> A noted person, yes.
00:16:11.130 --> 00:16:12.890
>> We could actually
find somewhere else.
00:16:12.890 --> 00:16:15.550
>> There's a little asterisk,
pages and pages and pages away.
00:16:15.550 --> 00:16:16.600
>> Are we going to see who it is?
00:16:16.600 --> 00:16:18.600
Or people have to buy
the book to find out?
00:16:18.600 --> 00:16:20.030
>> You have to buy it.
Worthy of a read.
00:16:20.030 --> 00:16:21.055
>> All right. Excellent.
00:16:21.055 --> 00:16:23.455
All right well that's our show as
00:16:23.455 --> 00:16:24.145
always.
00:16:24.145 --> 00:16:26.955
If you have questions or
comments put them in the show notes
00:16:26.955 --> 00:16:31.965
down there or email us at
defragtools@microsoft.com and
00:16:31.965 --> 00:16:34.015
we'll see you next week thanks for
watching.
00:16:34.015 --> 00:16:34.575
>> See you next week.
00:16:34.575 --> 00:16:35.075
>> Thank you.